According to Mbed TLS changelog this feature was set default ON
since 3.1.0 release, so the build symbol is no more available.
This commit removes it from Zephyr.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Mbed TLS automatically sets PSA_WANT_KEY_TYPE_[RSA/ECC]_KEY_PAIR_BASIC
whenever "_IMPORT || _EXPORT || _GENERATE || _DERIVE" operations
are set. Therefore we just set the proper actions where required.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
This is meant to be used only for tests on platforms where CSPRNG
sources are not available. It should not be used in production.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Improve the description of both MBEDTLS_PSA_CRYPTO_LEGACY_RNG and
MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG kconfig symbols.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
- Slightly improve the name of this kconfig adding the suffix
_POLL in order to highlight that this adds a callback
function used to poll data.
- Description was also updated to point out that this symbols
might not only use the (secure) entropy driver, but also
generic number generators, some of which are not really
secure.
- The symbol was move from Kconfig to Kconfig.tls-generic because
this is where MBEDTLS_ENTROPY_C is located and since
MBEDTLS_ENTROPY_HARDWARE_ALT depends on the former (it only
makes sense if the entropy module is also enabled), we add
also the "depends on".
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
ENABLED suffix does not really makes much sense for a kconfig
so it should be removed. Also other MBEDTLS symbols were recently
updated accordingly.
Moreover having it named exactly the same way as in Mbed TLS
symplifies the understanding of what this kconfig is doing.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Rename `MBEDTLS_PSA_CRYPTO_RND_SOURCE`->`MBEDTLS_PSA_CRYPTO_RNG_SOURCE`
as all other options use `RNG` for random number generator instead of
`RND` for random number.
Signed-off-by: Jordan Yates <jordan@embeint.com>
Make it depend on MBEDTLS_PSA_P256M_DRIVER_ENABLED instead of
selecting it.
This fixes the build of
tests/crypto/secp256r1/crypto.secp256r1.p256-m_raw on filtered-out
platforms since PR #75441 (83cd9f5a01).
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Instead of silently `#undef`ing PSA_CRYPTO_C when TF-M is in use,
enforce that rule at the Kconfig level.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Add proper PSA_WANT kconfigs for TLS sockets and RSA key exchanges
when CONFIG_PSA_CRYPTO_CLIENT is set.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
For sake of memory footprint it might be required to shrink
down the memory footprint as much as possible. Unfortunately Mbed TLS
PSA interface brings in some extra code for key management which makes
it larger than the TinyCrypt counterpart when it comes to p256-m
interfacing. For this reason it might be useful to directly access
the p256-m driver directly.
This commit adds this support and it also updates the corresponding
test in order to make use of this condition.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Add support for the CortexM optimized implementation of secp256r1
code. It supports:
- import & export
- key agreement
- sign & verify
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
As of Mbed TLS 3.6 (which is the currently used version in Zephyr)
Blowfish, ARC4 and MD4 are no more supported so existing kconfigs
have no effect at all. Moreover they are not even used anywhere
in Zephyr.
This commit just removes them all and it also updates the migration
guide document.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
In an effort to shave off code size, remove out-of-the-box
enabling of crypto features (except SHA-256).
Configurations are adjusted to enable what they need.
Bonuses:
- When enabled, AES now defaults to using a smaller version
(`CONFIG_MBEDTLS_AES_ROM_TABLES` isn't default enabled anymore,
and if enabled, `CONFIG_MBEDTLS_AES_FEWER_TABLES` defaults to y).
- Conditions around Mbed TLS Kconfig options have been improved
to reflect the reality of the dependencies.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Remove the `_MAC` part because those Kconfig options enable only hash
algorithms, nothing MAC-related, and the `_ENABLED` part to align the
naming to the Mbed TLS defines (plus we don't need such a part).
As a bonus, enabling SHA-256 does not automatically enable SHA-224
anymore.
See the migration guide entries for more details on the practical
changes.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Instead of selecting legacy MBEDTLS symbols, use corresponding
PSA_WANT ones when possible (note: some legacy symbols do not
have a PSA correspondance).
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Using MBEDTLS_PSA_CRYPTO_CLIENT to guard all PSA_WANT symbols is
not completely correct because:
1. the prefix MBEDTLS suggests that it's something related to
MbedTLS, while actually PSA APIs can be provided also
by other implementations (ex: TFM)
2. there might applications which are willing to use PSA APIs
without using MbedTLS at all. For example computing an hash
can be as simple as writing psa_hash_compute() and, if the
PSA function is provided thorugh TFM, then MbedTLS is not
required at all
Therefore this commit:
- moves MBEDTLS_PSA_CRYPTO_CLIENT to Kconfig.tls-generic since
that symbol belongs to MbedTLS
- adds a new symbol named PSA_CRYPTO_CLIENT as a generic way
to state that there is "some" PSA crypto API provider
- let MBEDTLS_PSA_CRYPTO_CLIENT automatically select
PSA_CRYPTO_CLIENT, since the former is an implementation of
the latter.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Now that support for all PSA_WANT symbols is in place, we can
enable MBEDTLS_USE_PSA_CRYPTO when MBEDTLS_PSA_CRYPTO_C is
enabled as well.
Note: this commit also moves USE_PSA_CRYPTO out of CRYPTO_C
dependency in config-tls-generic.h because TLS/DTLS/X509 modules
of MbedTLS can rely on *any* implementation of PSA crypto APIs
not only the MbedTLS one. TFM is for example an alternative
to this.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
- Do not set CONFIG_MBEDTLS_ZEPHYR_ENTROPY in
tests/crypto/mbedtls because this can cause test failure on
real devices in which test thread do not have access to
drivers.
- make MBEDTLS_PSA_CRYPTO_RND_SOURCE depending on
MBEDTLS_PSA_CRYPTO_C because it only makes sense when the
latter is defined
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
It is meant specifically for configuration of the PSA crypto library.
The underlying PSA configuration items are guarded by the condition
that a PSA crypto provider must be present, which is the case when
either TF-M is in use or MbedTLS's PSA core is built as part of
the application image.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
MBEDTLS_PSA_CRYPTO_C and MBEDTLS_USE_PSA_CRYPTO are 2 different
things and the former should not automatically enable the
latter. The reson is that the user might want the MbedTLS
PSA crypto toolbox to be built, but at the same time he/she
does not want TLS/DTLS (and other intermediate modules such
as PK, MD and Cipher) to use PSA APIs.
For this reason this commit introduces a new Kconfig option
named CONFIG_MBEDTLS_USE_PSA_CRYPTO to enable the corresponding
build symbol. By default USE_PSA_CRYPTO is disabled. It is
only explicilty enabled in tests/samples that were previously
setting CRYPTO_C (since in those cases USE_PSA was set).
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Add a choice to select between legacy modules
(i.e. ENTROPY + CTR_DRBG/HMAC_DRBG) and CSPRNG as random generators
for PSA_CRYPTO_C.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Do not enable hash algorithms except SHA-256 by default.
This unnecessarily inflates the final code size even if not all the
enabled hash algorithms are actually used.
SHA-256 is (for now) kept enabled by default because many configurations
across the code base assume that there is some hash algorithm
available without needing to enable it.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
After an update to mbed TLS 3.3.0, dependencies with
CONFIG_MBEDTLS_PSA_CRYPTO_C enabled got affected.
mbed TLS in its build_info.h file, enables MBEDTLS_PK_WRITE_C config
under the hood. MBEDTLS_PK_WRITE_C has a dependency to
MBEDTLS_ASN1_WRITE_C which wasn't reflected anywhere.
Therefore, update Kconfig.tls-generic to enable
CONFIG_MBEDTLS_PK_WRITE_C automatically, when PSA crypto is enabled, to
reflect mbed TLS configuration pattern. Additionally, enable
MBEDTLS_ASN1_WRITE_C automatically, when PK write is enabled.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Add a kconfig symbol to control the mbedtls option
`MBEDTLS_AES_FEWER_TABLES`. 6KiB is a not insignificant ROM/RAM savings,
and the extra arthmetic is quite reasonable.
Signed-off-by: Jordan Yates <jordan.yates@data61.csiro.au>
Instead of using "select" on certain EC configurations, which is
considered unsafe for various reasons, use a "depends on" and rely on
the user to set a proper configuration in the config file.
Update the respective project configurations to comply with the new
configuration scheme.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Instead of relying on selected ciphesuite to enable mbed TLS EC configs,
add separate config entries to enable them. This allows to use EC
functionality w/o TLS/DTLS enabled.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Before mbedTLS 3.0 there was just SHA512 option, which enabled both SHA384
and SHA512 support. mbedTLS 3.0 introduced SHA384 specific option, which
means that SHA384 got unsupported after merging
commit 4e6cfb67f9 ("modules: mbedTLS: Bump mbedTLS to 3.0").
Introduce SHA384 Kconfig options, so that support for it can be selected in
project configuration if needed. Since SHA384 still depends on SHA512 to be
selected, add such dependency in Kconfig.
Select SHA384 support in non-generic (not configured by Kconfig) mbedTLS
config headers, so that previous (before mbedTLS 3.0 was merged) behavior
is regained.
Fixes: 4e6cfb67f9 ("modules: mbedTLS: Bump mbedTLS to 3.0")
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
Add Kconfig configuration options which allow to configure
session caching in mbed TLS.
Note, that mbed TLS only takes care of server-side caching, the
application (socket layer) needs to implement a session storage for
client.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
According to Kconfig guidelines, boolean prompts must not start with
"Enable...". The following command has been used to automate the changes
in this patch:
sed -i "s/bool \"[Ee]nables\? \(\w\)/bool \"\U\1/g" **/Kconfig*
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
So far maximum PSK length was configured by mbedTLS as 32 bytes.
Introduce Kconfig option that will configure it instead of relying on
default value from mbedTLS library, so that user can easily adjust that
value to application needs.
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
Currently the MBEDTLS_HAVE_TIME_DATE mbedTLS option is enabled based on
the CONFIG_POSIX_API option. This doesn't seem right, since the enabling
the POSIX API does not guarantee that there is a valid time source in
the system. This was the case for the qemu_x86 platform, where enabling
POSIX_API caused TLS handshake failures due to certificate validation
errors caused by no valid time avaialble in the system.
Fix this by adding a specific KConfig entry for date/time configuration
in mbedTLS. Applications that need to enforce date verification in
mbedTLS should enable it explicitly instead of relying on the
non-obvious implicit configuration.
Fixes#35401
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
This commit removes the prompt from MBEDTLS_USER_CONFIG_FILE unless
MBEDTLS_USER_CONFIG_ENABLE is true.
This fixes issues where other parts would specify a default value for
MBEDTLS_USER_CONFIG_FILE that would become stuck and not updated if
user re-configured the system using menuconfig.
Disabling the prompt ensures that only when a user specifically enables
MBEDTLS_USER_CONFIG_ENABLE and specify a custom user value in
MBEDTLS_USER_CONFIG_FILE the setting will be fixed.
Also updates the manifest with related change in the mbedtls project.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
We move the Zephyr-specific CMakeLists.txt file into
the main Zephyr tree. We also move the zephyr_init.c
source file.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
